tox-lsr/src/tox_lsr/test_scripts/bootc-buildah-qcow.sh at main · linux-system-roles/tox-lsr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#!/bin/sh
# Build a qcow2 image from a bootc buildah container
# resulting image will be in tmp/<buildah id>/qcow2/disk.qcow2
# Usage: build-buildah-qcow.sh <buildah id>
set -eu

BUILDAH_ID="$1"

MYDIR=$(dirname $0)
OCI_TAG="localhost/bootc-tmp:$BUILDAH_ID"

# extract private SSH key from standard-inventory-qcow2, and generate pubkey from it
# keep this in sync with ./runqemu.py
INVENTORY="${LSR_SCRIPTDIR:-.}/standard-inventory-qcow2"
PUBKEY=$(sed -n '/BEGIN.*PRIVATE KEY/,/END.*PRIVATE KEY/ { s/^.*"""//; p }' \
    "$INVENTORY" | ssh-keygen -y -f /dev/stdin)

# user's or system podman storage location
STORAGE=$(podman info -f '{{.Store.GraphRoot}}')

OS_RELEASE=$(buildah run "$BUILDAH_ID" cat /etc/os-release)

# buildah → container image
buildah commit "$BUILDAH_ID" "$OCI_TAG"
# always clean up the temporary tag
trap "podman rmi $OCI_TAG" EXIT INT QUIT PIPE

# invoke booc-image-builder
rm -rf tmp
OUTPUT="./tmp/$BUILDAH_ID"
mkdir -p "$OUTPUT"

# merge role customizations into the config
python3 -c 'import sys, os, yaml, json
pubkey = sys.argv[1]
cfg = {"blueprint": {"customizations": {"user": [{"name": "root", "password": "foobar", "key": pubkey}]}}}
if os.path.exists("osbuild_config.yml"):
    with open("osbuild_config.yml", "r") as f:
        user_cfg = yaml.safe_load(f)
    if "blueprint" in user_cfg:
        users = user_cfg["blueprint"].get("customizations", {}).get("user", [])
    elif "customizations" in user_cfg:
        users = user_cfg["customizations"].get("user", [])
    rootuser = [u for u in users if u["name"] == "root"]
    if rootuser:
        print("ERROR: cannot override root user in osbuild_config.yml")
        sys.exit(1)
    cfg["blueprint"]["customizations"]["user"].extend(users)
with open("tmp/bib.config.json", "w") as f:
    json.dump(cfg, f)
' "$PUBKEY"

# for local development, support adding "sudo_password" to the vault, see README.md
# not necessary for e.g. GitHub actions which has passwordless sudo
if [ -e vault_pwd ] && [ -e vars/vault-variables.yml ]; then
    export SUDO_ASKPASS="$MYDIR/vault-sudo-askpass.sh"
fi

# bootc-image-builder must be run as root container; also support breaking out of toolbox
AM_ROOT=
if systemd-detect-virt --quiet --container; then
    if [ -n "${SUDO_ASKPASS:-}" ]; then
        # the helper is in toolbox, not the host; so we can only feed the password via stdin
        run_root() { "$SUDO_ASKPASS" | flatpak-spawn --host sudo -S -- "$@"; }
    else
        # best-effort: won't work in Ansible (no stdin), but for interactive calling
        run_root() { flatpak-spawn --host sudo -S -- "$@"; }
    fi
elif [ "$(id -u)" != 0 ]; then
    if [ -n "${SUDO_ASKPASS:-}" ]; then
        run_root() { sudo -A -- "$@"; }
    else
        run_root() { sudo -- "$@"; }
    fi
else
    AM_ROOT=1
    run_root() { "$@"; }
fi

# r/w bind-mounting the user storage to image-builder container destroys file permissions
# Ideally we use the `--volume` `:O` (overlay) mode, which works fine for everything except CentOS 10
# (https://github.com/osbuild/bootc-image-builder/issues/943). So do an expensive workaround
# of copying the entire storage there.
if [ -z "$AM_ROOT" ] && [ "${OS_RELEASE%platform:el10*}" != "$OS_RELEASE" ]; then
    STORAGE_COPY="${STORAGE}.image-builder"
    run_root cp -a "$STORAGE" "$STORAGE_COPY"
    VOL_MODE="rw"
    STORAGE="$STORAGE_COPY"
else
    VOL_MODE="O"
fi

# GitHub's runners create a $STORAGE/db.sql which contains the absolute storage path; that breaks
# podman in the bootc-image-builder container. This is just a cache and can be removed safely
if [ -z "$AM_ROOT" ] && [ -e "$STORAGE/db.sql" ]; then
    mv "$STORAGE/db.sql" "$STORAGE/db.sql.bak"
fi

# image-builder requires --rootfs option for Fedora
if echo "$OS_RELEASE" | grep -q '^ID=fedora'; then
    ROOTFS_OPT="--rootfs=btrfs"
fi

# image-builder unfortunately needs $STORAGE to be writable, but that would destroy
# permissions on the host; so mount it with a temp overlay
run_root podman run --rm -i --privileged --security-opt=label=type:unconfined_t \
    --volume="$STORAGE":/var/lib/containers/storage:"$VOL_MODE" \
    --volume=./tmp/bib.config.json:/config.json \
    --volume="$OUTPUT":/output \
    quay.io/centos-bootc/bootc-image-builder:latest \
    --type=qcow2 ${ROOTFS_OPT:-} --config=/config.json \
    "$OCI_TAG"

# when running as user, restore permissions
if [ -z "$AM_ROOT" ]; then
    run_root chown -R "$(id -u):$(id -g)" "$OUTPUT"
    if [ -e "$STORAGE/db.sql.bak" ]; then
        mv "$STORAGE/db.sql.bak" "$STORAGE/db.sql"
    fi
    [ -z "${STORAGE_COPY:-}" ] || run_root rm -rf "$STORAGE_COPY"
fi